SAP User Authorizations.

Similar Messages

• What User authorization objects needed for connecting to SAP from xMII?

  We eneter a SAP user and password for connecting to SAP from xMII to retrieve the metadata of the incoming IDocs.
  When I specify a user with SAP_ALL user profiles, the IDocs are received properly in xMII. If I specify a user with privileges to run only certain transactions, IDocs are not received in xMII.
  What user authorization objects are needed for this user to connect to SAP from xMII?
  Thanks,
  Sara

  Sam,
  I turned on the SAP System trace for this user and figured out the following auth. objects are required for receiving IDocs in xMII:
  C_TCLA_BKA
  S_RFC
  S_CTS_ADMI
  B_ALE_MAST
  S_IDOCDEFT
  The following auth. object is required for making JCO call to SAP from xMII:
  C_AFRU_AWK
  Thanks,
  Sara

• SAP* user doesnt have full authorizations.

  Hi All,
  my Admin user for EP7 portal is locked.
  Tried to activate the sap* user to chang the password of my admin user,
  but strangely the sap* user is not able to do so too.
  When i click on User Admin on the sap* user I get a mesage saying
  "you have not enough rights to perform this contact your systemadministrator"
  I fail to undrstand how can sap* user not have rights to admin...when its purpose is to
  act as emrgency admin user.
  Now I am helpless as this is the only way to reset admin password....
  What should I do...
  please help......

  Did you restarted the j2ee java.
  Also check the below blog
  SAP* - The Saviour
  Raghu

• New sap user creation

  Hi All SAP experts,
  My company has implemented 2 Systems SAP Landscape with one development and one production server which are running on R/3 Enterprise 4.7 (Kernel Release 6.20) with Microsoft SQL 2000 as database server.
  I have the following questions regarding new sap user creation by using user copy function.
  1.When I request to create new SAP User by using user copy function ,should I just create the user acct in DEV and transport it to PROD System? If yes, how could I do that?
  2.When I request to create new SAP User by using user copy function, can I just create it on PROD System only? If yes, what is the impact?
  3.When using User copy function to create new user acct, should I select all parts (like adress ,defaults,reference user, user groups.....) of the existing user to be cloned to new user acct?
  Thanks.
  Leon

  Hi Leon,
  Answer to your questions in their respective order:
  1. You can create user in DEV and then make remote client copy to PRD system using scc9 t-code. Here you can choose user accounts and authorizations for the copy. ( Rem: Data will be overwritten in target system when copied).
  You can also use client export/import(scc8/scc7)
  But, When you do the client import from the exported files using STMS,you will have to select only one of the transport requests and then STMS automatically selects the other requests for you.
  Then it will show you the different transport requests that you have created during your export, the client copy profile and the target system and client. The customizing and application data is deleted in the target client before copying for all profiles except SAP_USER. This is technically unavoidable (and hence the data will be overwritten).
  So if you can afford overwritting of user data in target client , you can go with the above procedure.
  2. Using  user copy in su01, you can copy one user to another user only in that client and is confined to that system only. So yes, If you want 2 or more users to have same authorizations, profiles ,etc etc.. you can choose this in PROD system.
  3. It depends.. If you want user to be in same group, then you can choose user groups. If you want them to have same authorizations , you can choose roles and profiles... If you want them to have same company address and others,... you can select address.. and so on.
  Also below link provides required steps in case you choose local/ remote client copy:
  http://www.sap-basis-abap.com/bc/client-copy-by-using-scc8-and-scc7.htm
  Hope this helps...
  Thanks,
  Ajith
  Edited by: Ajith Kamath on Oct 20, 2009 8:28 AM

• Purchase Order Release Strategy and SAP user RelationShip

  Hi,
  We are currently developing a work flow to streamline PO release in our company . What we want to achieve is that
  E.g
  A purchase order 100001 is creates and a release strategy s1 is applied to it which is a 3 level relase statrgy having release code c1,c2,c3 which are uniquely assigned to user/employee of the company and no 2 users'employee can have the same release code.
  Now when c1 release the purchase order a work item should be created to for the user/employee who is assigned the c2 code.
  Currently this workflow is not implemented in our company adn the relase stategy is handeled by authorization oobjects and when ever a po user relase the po he calls up the other persona next in relase strategy to notify him about the work he has to do .
  I am need to know can we develop a relationship b/w the release code and sap user or employee
  Regards
  Kamran ellahi

  Hi,
  We are currently developing a work flow to streamline PO release in our company . What we want to achieve is that
  E.g
  A purchase order 100001 is creates and a release strategy s1 is applied to it which is a 3 level relase statrgy having release code c1,c2,c3 which are uniquely assigned to user/employee of the company and no 2 users'employee can have the same release code.
  Now when c1 release the purchase order a work item should be created to for the user/employee who is assigned the c2 code.
  Currently this workflow is not implemented in our company adn the relase stategy is handeled by authorization oobjects and when ever a po user relase the po he calls up the other persona next in relase strategy to notify him about the work he has to do .
  I am need to know can we develop a relationship b/w the release code and sap user or employee
  Regards
  Kamran ellahi

• Learning SAP BW authorizations structure and hierarchy  -  concepts

  Hello Experts,
  I need a good document for learning Authorizations structuring and hierarchy in SAP BIW 3.5 . I am giving authorizations in BIW but do not hv conceptual nd fundamentalistic knowledge of SAP BW authorizations and its structure . Plz send a good document for learning BW authorizations .............................it may be an excerpt frm FU&FU guide. My Email Id is [email protected]
  A short but complete SAP BW fundamentalistic , concepts and structure & hierarchy covering document is appreciated.
  Requested to revert at earliest as this is very urgent.
  Points guaranteed.
  Regards,
  Somya

  Hi maheshwari ,
  Use these steps for authorizations,
  1.before going to authorizations u have to decide on which Infoobject u have to apply authorizations.
  EX: SD--- Sales Org, MM -> palnt ,purorg,FI> companycode.
  first u ahve to decide which area & on which Infoobject.
  2.goto that Infoobject --> change there check the checkbox Authorization relavent object cahechbox
  2.after that U Have to goto RSSM there u have to create authorization object
  Ex: Zxxx ( XXX is Infoobject Name ).
  3. In the same transaction Screen u have Infocube selection radio Button check that then select on which cube(cube means under that cube all Quaries) u have to make authorization for that perticuler Infoobject.
  4.next goto PFCG create role & save it
  5.goto Authorization tab in that selct edit authorization it will give automatiaclly authorization Templates in that u have to select only S_RS_RREPU & press Enter.
  6. Select manual pushbutton it will ask authorisation object enter ur authorization object what u have created ( zxxx) .
  7.click generate +enter
  8. goto user tab Enter userId+enter + click on usercomparision+ enter
  9.save the role.
  FOR HIRARCHIES:
  1. goto RSSM There u have one rediobutton called authorization hierarchy ( this radio button is very below the RSSM screen)
  2. there u have to select Hierachy on which u have to apply authorization.
  Thanks,
  kiran

• Oracle 10g Rel 2  - Proxy connection authentication with SAP User ID

  Dear Experts,
  We are currently doing some research and planning to upgrade SAP R/3 4.6C to ECC 6 and upgrading Oracle from version 9.2 to 10.2
  In upgrading to Oracle vers. 10g Rel 2, we got advised that Oracle has apparently introduced a new proxy connection authentication, in which the SAP user ID is given limited privileges (create session only) ??
  If you have any information on this or known any impact about this issue, please advise us.
  Thanks in advance.

  Thanks for your help, Kaushal.
  I also found the SAP Note 834917 (Oracle Database 10g: New database role SAPCONN and it seems to be on a right direction to cope with that problem.
  - For Oracle releases earlier than 10gR2, the CONNECT role includes extensive database authorizations and the more restrictive CONNECT as of 10gR2.
  - To overcome this restriction, SAP need to find a way to compensate this, so does it come SAPCONN.
  - SAPCONN is the new SAP-specific database role, which is defined to support the normal SAP applications operations (CONNECT, RESOURCE and SELECT_CATALOG_ROLE).
  Once again, thanks.

• SAP USERS ROLE TABLE

  Can some one tell me the SAP USERS ROLE TABLE
  I Will assign point to any input.
  Balance Roll forward     
  Change Vendor Line Items
  Change Parked Vendor Document
  Change/ Reverse Vendor Invoice     
  Check Processing
  Clear Accounts Payable Items
  Display A/P  Balance & Items
  Display Checks     
  Display Vendor Documents     
  Display A/P Master Data     
  Display Parked Vendor Documents     
  Account Payable Interest Calculation     
  A/P Invoice Entry     
  A/P Accounting Key Reports     
  Manual Payment     
  Payments Using Bill of Exchange     Display
  Payment Run Parameters     
  Create and Process Payment Run Proposal     
  Accounts payable period closing     
  Post Parked Vendor Document     
  Maintenance of Accounts Payable Master Data     
  Process Withholding Tax

  go to t code PFCG
  Search for roles with SAP_FI_AP*
  You could always create your own role.
  In the Menu tab add the t codes you have specified.
  You will then need to add the authorization objects in the authorization tabs.
  For the t codes you have I guess it would take an hour max.

• Need a Query/User Authorization Report

  Hello All,
  I am looking for tables, function modules, programs etc that will aid in building a report that will show every query and which users have access to them.
  This program I am wanting to build will serve as a periodic "reality check" on our authorizations.
  I am not sure about the tables/programs etc involved in interpreting the user's roles/profiles.
  My current thinking is that there may be a function module or program that is being by the BEx tools that comes up with the list of queries that the user has access to when they first select the query they want to run. Getting a hold of that would be very beneficial.
  Any ideas?

  Hi,
  Refer the below links
  www.das.state.ne.us/nis/security/docs/authorized_agent_manual.pdf
  script.wareseeker.com/PHP/uas-user-authorization-system.zip/18033
  eda.ogden.disa.mil/users_guide/trainMaterial/GeneralAdminMaint.ppt
  www.umaryland.edu/eumb/Documents/user_aff.pdf
  www.mariewagener.de/node/98
  https://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI?focusedCommentId=78053701
  www.bi-expertonline.com/downloads/Smith.doc
  https://aisweb.wustl.edu/hr/benefits.nsf/pages/files/$file/hrmssecurityauth07.pdf
  www.sapdev.co.uk/sap-bw/queryexit.htm
  naresh

• CRM Analytics - User Authorization Not Suficient

  Hi Guys,
  We have implemented the CRM analytics report, however when I access the menu Sales Pro in CRM and try to open the report Closed Opportunities, I get the error : User Authorization not sufficient.
  If I open the error I get the message :
  Diagnosis
  The user doesnot exist in the BI client or has insufficient authorizations
  Procedure
  Contact system administrator to verify the user is setup properly in both CRM and BI client
  Procedure for System Administration
  Verify that the user exist in BI client with the same user id, if not create it and assign proper authorizations as per the configuration guide.
  When I run the query or the webtemplate in BW I don't have authorization problems, but I can't run from CRM.
  Any suggestion about how to fix it?
  Thanks in advance,
  Fernando

  Hi Fernando,
  The report which you have implemented is doing a RFC call to BI system where some other system program is getting called which have authorization logic check for the RFC user ( or the person who is running the report). here report is terminating with error. I have face the similar issue.
  generally such reports we use to schedule as a background job with batch user which have SAP ALL access but I feel in your case user who runs the report have not sufficent authorization in BI system and also you are not running report as an background job.
  There aretwo tricks to findout the missing authorization which I also have used.
  First option : close all the session except one in CRM and than run the report as soon as the error comes open transaction code SU53 to know the missing authorization - may be you can fail here as the authorization check fail in BI.
  Second option definitely will work. Whenerror is coming double click on the mmessage to know the message detail(class and number) than again run the report in debugging mode (/H- type in address bar to activate debugging) than set breakpoint in the message and press f8( may be system will not set the break point immediately than you need to debug till the RFC calls BI system) . system will take you to the exact authorization code check where the error is coming. there you can find out the missing authorization object which is not included in the user assigned role. than can ask access team to add in the user role.
  I hope this will solve your issue. Please revert with your finding.
  Thanks,
  Prem

• Creating second InfoView entry point for SAP users in XI 3.1

  Hi All,
  I have BOE XI 3.1 up and running with the Business Objects Integration kit SAP Solutions kit I would like to create a second infoview entry point for SAP users on the same physical box (single server) as regular InfoView. 
  I am trying to mock this up and have detailed the following steps below.  I suspect I am missing a few steps (for example, where do I specify the entry port?).  I am sure step 2 is wrong, as I the desktoplaunch no longer exists in Xi 3.1
  1.  Copy the InfoView.war file to a new directory ( Program Files/Business Objects/ Business Objects Enterprise 12.0/java/applications/sap).  I imagine I would need to rename the war file (say SAPInfoview.war)?
  2.  Create a xml file with the following logic (the part in bold I consider to be wrong...):
  <Context docBase="Program Files\Business Objects\Business Objects Enterprise 12.0\java\applications\sap\SAPInfoview.war" path="/
  businessobjects/enterprise115/desktoplaunch"
  crossContext="false" debug="0" reloadable="false"
  trusted="false"/>
  3.  Save the xml file (what name? does it matter) in Program Files\Business Objects\Tomcat55\conf\Catalina\localhost
  4.  Restart Tomcat
  5.  Change the web.xml to make SAP security the default.  But this should not be the regular infoview web.xml.  I'm not sure where this would reside.
  Thanks,
  Steve
  Edited by: Steve Bickerton on Jan 15, 2009 9:19 PM

  Hi Ingo,
  You've been working with Duncan and Sartaj on this.  The client has two set of users:  non HR which has no BW or R/3 authorization restrictions, and HR, which has authorization restrictions.
  They have deployed SSO using AD for the non HR users.  They also want to leverage InfoView rather than the SAP portal.  For the HR users, we therefore need to capture the SAP id and password at login time to enforce security at the BW and R/3 levels.  We could use the existing Infoview entry point (SSO will fail and they will be prompted for a SAP login).  I do remember that we offered a second InfoView entry point for SAP users in XIR2.  I thought this may be more elegant.
  Thanks,
  Steve

• Creating variable with the user Authorization in BEx

  Hi gurus,
  i want to create a variable with user authorization in BEx. Can any one please tell me the steps to create the variable for authorization.
  Thanks in advance
  sandy

  Hi,
  Please take a look and refer the section Use of Variable filled Authorizations(User Exit)
  Advanced Features of SAP BW Reporting Authorizations
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  Hope this helps.
  Cheers,
  Gimmo

• PA30 User Authorizations

  Hi,
  I have developed a webdynpro application which enables users to change their personel details like changing work contact no , emails , cell no etc. the users can access the iview through ESS.
  I am facing some authorization issues as the changes can be done only if a user have authorization for TC: PA30 , But we have non sap users who use ESS and try to change their details. Is there any other way we can get around this problem ??
  Regards,
  Kumar

  Hi Ramm,
  I followed as suggested
  country        infotype         subtype      use case
  08     0040     0011     A1
  08     0105     0001     A1
  08     0105     0005     A1
  08     0105     0010     A1
  08     0105     0020     A1
  Its coming up with an error saying that
  There is an inconsistency in the usecase maintained for this record.
  Message no. HRXSS_PER003
  System Response
  There is an inconsistency in the usecase maintained for this record.
  Procedure
  In order to change the usecase goto the view "V_T7XSSPERSUBTYP" and change the corresponding usecase of the infotype/subtype.
  Thanks,
  Kumar

• All the users authorization report

  Dear Experts,
  I want run the all the users authorization in SAP. I want prepare authorization matrix from all the users.
  Please help me on this. Thanks for advance.
  Regards
  S.Prasad

  Hi,
  post your query in abap forum.
  the following tables are useful to create such report
  ROLES BY  TCODE  ASSIGNMENT
  TSTCT
  AGR_1251
  ROLES BY  USERS ASSIGNMENT
  AGR_USERS
  USER_ADDR
  ROLES BY ORGANIZATIONAL LEVEL ELEMENT ASSIGNMENT
  AGR_1252
  USVART
  regards,
  kaushal

• How to give user authorizations for a Program or an ICF service

  Hi,
     1)How to give user authorizations for a report program or an ICF service.
     2)How to create an user authorization object.
  Regards,
  Vinay.

  check this online help for more info on authorization object creation
  http://help.sap.com/saphelp_nw04/helpdata/en/52/67168c439b11d1896f0000e8322d00/frameset.htm
  for question no1.
  ICF - you either maintain the auth obj relevant at the icf service level itself or you can code call authority object and block access
  for abap programs:
  you maintain auth object at the tcode or code the call authority object within the program
  Regards
  Raja